Talos Vulnerability Report

TALOS-2017-0334

June 19, 2017

CVE Number

CVE-2017-2833

Summary

An exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.37. A specially crafted HTTP request can allow for a user to inject arbitrary shell characters resulting in command injection during the boot process. To trigger this vulnerability, an attacker needs to send an HTTP request and reboot the device.

Tested Versions

Product URLs

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Details

Foscam produces a series of IP-capable surveillance devices, network video recorders, and baby monitors for the end-user. Foscam produces a range of cameras for both indoor and outdoor use and with wireless capability. One of these models is the C1 series which contains a web-based user interface for management and is based on the arm architecture. Foscam is considered one of the most common security cameras out on the current market.

The "webService" binary is launched on device boot and takes care of starting several other executables, e.g. the HTTP daemon, and it takes care of configuring the FTP server. Before calling main(), the dynamic linker calls all the functions defined in the .init_array, one after the other. "webService" contains 35 different initialization functions: this advisory describes a vulnerable path in the function sub_1E6A4 [1].

sub_1E6A4 takes care of initializing several objects that will be used in the future and starts several threads to handle the communication with other applications running on the device. It also loads the user accounts [2] and configures the FTP server [3].

sub_5586C calls two functions: one for reading the configuration file (which only contains the FTP port number) [4], and one which configures the FTP database with existing user accounts [5]. This last one is the vulnerable function.

sub_556B4 first calls [6] for loading user accounts from "/mnt/mtd/app/config/UserAccountConfig.bin". It then loops [7] over each account and checks for the privilege level. If the privilege is 2 [8], the service will build a format string using "sh /usr/bin/ftpd/configFTP.sh 1 %s %s" [9] and the username [10] and password [11] pair, without sanitizing the parameters. Once this is done, the string will be passed to the system call at [12]. Due to the service not enforcing any restrictions on the character set, this can allow an attacker to inject arbitrary characters that may be interpreted by the Bourne shell which can allow for one to execute arbitrary commands.

Exploit Proof-of-Concept

This vulnerability is reachable during the boot process. To trigger it, a command injection must be placed either in the username or in password field of the account. This can be done by the "changePassword" command, which requires a valid user account to change the password for:

The device should then be rebooted using other means, and the command will be executed upon boot.
Note that any command that alters username and password can be used, for example the "addAccount" command.